2025 was an inflection point for how organizations think about security data.

Security-relevant data volumes continued to grow across SIEMs, EDRs, cloud platforms, identity systems, SaaS applications, and line-of-business apps. At the same time, SIEM costs rose, retention windows shrank, and AI adoption forced security leaders to confront a hard truth: you can’t apply AI effectively if your data isn’t accessible and usable.

Throughout the year, Query stayed laser-focused on a clear mission: helping security teams leverage data to achieve better outcomes – faster, and with less operational burden.

That work is grounded in our Product Vision, built around four pillars:

  • Access & answers from all security-relevant data
  • Choice & flexibility in security data architecture
  • Decision support for security operations workflows
  • Control over costs as data volumes scale

In 2025, we made meaningful progress across every one of these pillars.

The Security Data Challenge Has Changed

Security teams are no longer struggling to collect data. They’re struggling to use it.

Centralizing everything into a SIEM is increasingly unrealistic. Data pipelines are brittle and expensive to maintain. Analysts lose time pivoting across tools. Engineering teams are buried under ETL work and CISOs are under pressure to reduce spend without reducing coverage.

Query exists because these challenges aren’t edge cases. They’re now the norm. Here’s a run down of the major new features and enhancements we made to the Query platform in 2025…

Security Data Mesh Platform: Federation Not Centralization

At the core of Query is the Security Data Mesh Platform, designed to enable a federated approach to security data architecture.

Instead of ingesting and duplicating data, Query connects directly to distributed sources and enables real-time access where the data already lives.

Key principles:

  • No ingestion
  • No duplicate storage
  • Data stays at the source

This architecture supports high-volume security operations use cases including detections, investigations, threat hunting and incident response.

Expanding Connector Coverage

In 2025, we expanded our ecosystem of pre-built connectors to over 50 data sources, including:

  • SIEMs: Splunk, Microsoft Sentinel, Google SecOps, CrowdStrike Next-Gen SIEM
  • Cloud and analytics platforms: Amazon Security Lake, Amazon Athena + S3, Azure Data Explorer, Databricks, Snowflake
  • Leading solutions for Cloud Security, Data Security, EDR, Identity, ITSM, MDM, threat intelligence and more.

The goal is simple: access security-relevant data wherever it lives.

Federated Search Query Language (FSQL) and FSQL REST API

The Federated Search Query Language (FSQL) provides a single, security-focused syntax to search across heterogeneous data sources without requiring analysts to learn multiple query languages.

FSQL enables analysts to:

  • Create sophisticated search conditions
  • Retrieve and filter events and observables across platforms
  • Normalize results across schemas
  • Analyze distributed data through one interface

For automation and integrations, the FSQL REST API enables machine-to-machine access to federated search results, schema metadata, and connector information – supporting SOAR, detection engineering, and AI workflows.

Extending Splunk Without Increasing SIEM Costs

Splunk remains a cornerstone of many security environments. In 2025, we continued investing in the Query Splunk App to help customers extend Splunk’s value without increasing ingestion costs.

Key enhancements included:

Together, these improvements reduce analyst pivots, improve investigation speed, and lower total cost of ownership.

AI-Enabled Security Operations, Built on Access to Normalized Data

AI adoption accelerated rapidly in 2025 but security teams quickly learned that AI without accessible data delivers limited value. That’s why Query’s AI capabilities are built directly on the Security Data Mesh.

Mission-Specific Security Agents

We introduced Mission-Specific Agents to automate repetitive security operations tasks such as alert triage, context gathering, data enrichment and response recommendations. These agents help teams spend less time assembling data—and more time making decisions.

We’ve also introduced agents for converting Natural Language, SPL, KQL and Sigma into FSQL queries, making it easier for analysts to construct queries that meet their search intent and for customers to convert existing queries and detection content into FSQL.

CoPilots and Support for MCP and A2A Protocols

Query CoPilots assist with:

  • Data onboarding and schema mapping
  • Constructing accurate &  efficient queries
  • Analyzing search results
  • Guiding response actions

With support for the MCP and A2A protocols, customers can bring their own models and agents, leveraging normalized access to distributed security data.

Faster Onboarding and Data Mapping

Data onboarding remains one of the biggest blockers to effective security operations.

In 2025, enhancements to our Configure Schema capabilities made it faster and easier to onboard data from SIEMs, data lakes, lakehouses, and object storage – reducing reliance on custom engineering work and long pipeline projects.

Security Data Pipelines: Sometimes You Need to Move Data

Federation isn’t always enough. Compliance, retention, and architectural requirements sometimes require data movement.

To address this, we launched Security Data Pipelines, enabling teams to write the gold layer of a medallion architecture directly to:

  • Amazon S3
  • Azure Blob Storage (ADLSv2)
  • Google Cloud Storage
  • Splunk

Security Data Pipelines eliminate the need for brittle ETL jobs while preserving control over cost and retention.

Federated Detections: Making Detection Engineering Accessible

Federated Detections entered public preview in late 2025 and will reach general availability in January 2026, bringing detection logic directly to distributed data sources without ingestion. The breadth of data sources and making detection engineering accessible through FSQL and AI assistance are proving to be real game changers, all powered by the security data mesh.

Looking Ahead: Security Data in 2026

In 2026, we’ll continue expanding the Query Security Data Mesh platform with a focus on:

  • Configurable data visualization
  • Graph-based views for investigations & decision support
  • More AI-ready data and AI-powered workflows
  • Broader connector coverage across security and IT systems

Our mission remains unchanged: empowering security teams to leverage data for better security outcomes.

If you’re defining a security data strategy, planning a SIEM migration, adopting cloud security data lakes, or looking to reduce security operations costs, there’s a strong chance Query can help.

Reach out and connect with one of our SecDataOps experts—we’d love to partner with you.